Date post: | 22-Dec-2015 |
Category: |
Documents |
Upload: | chad-daniel |
View: | 214 times |
Download: | 0 times |
Office 365 Compliance & PrivacyA. J. SchwabVijay Kumar
OFC-B334
Respond to customer feedback through agile development
Deliver new features and value
Trust and compliance
Cloud valueContinuous innovation with confidence and control
Continuous release cadence
Minor & major updates
Up-to-date, no patching
Security comes first
Evolving standards
Direct feedback
Real-time information
Common support issues
Office Mix
Simplified Admin Center experience
The New Office
New Partner Admin Center
Office 365 Adapter
Embedded Images OWA Policy Tips
Updated Lync mobile clients
Office 365 SSO with SAML 2.0 Identity Providers
Multi-factor authentication
Service Pack 1 for Office 365 ProPlus
SAP and Power BI and Power Query support
Windows Azure Active Authentication
DirSync Scoping and Filtering
Exchange Online Inactive Mailboxes
PDF support for SharePoint Online
Lync Online Integrated Reporting
Office Onlinereal-time co-authoring OneNote for Mac,
Android, iPhone, and iPad updates
Office 365 operated by 21Vianet
Admin App for iOS, Android, and WP
OWA Calendar Search
OneDrive for Business Storage increase
Power Map for Excel
SharePoint Newsfeed App for Windows 8
Lync meeting scheduling from OWA
Office Mobile for iPhone & Android phones
Rights Management Services
OneNote for iPad
What we’ve deliveredExchange Online Address Book Policies
Message Center
EXO: 50 GB Mailboxes
Exchange group naming policy
OWA for iPhone & OWA for iPad
New SharePoint Workflows
Simplified Yammer login
Office Lens
Power Map GA for all Excel 2013 users
OneDrive for Business Improvements
90 Day message trace
OneDrive for Business Sync for Windows
Lync Online Remote PowerShell
Lync mobile client updates
Office 365 Switch Plans
OneNote for iPhone and Android phones
Azure AD Password Sync
Lync and SharePoint Service Reporting
Connecting Skype & Lync
OneDrive for Business apps for Windows 8 & iOS
People View in OWA
1 TB for OneDrive for Business
Office 365 Developer APIs
S/MIME Encryption
Office for iPad + 1.1 update
Project Lite released
July 2013 – June 2014 highlights
Recent & upcoming capabilities
Office for iPad Video in Office 365
Delve & Office Graph
Create, manage, and subscribe to various channels Capture, share, and discover
videos from any device
Secure cloud based video upload, storage and optimized playback
Compliance & Privacy in the cloudThe cloud is still new. You may ask about:
• How well your data is protected in the cloud
• Explaining the cloud to compliance officers, auditors, and regulators.
Earning Trust
Exchange Hosted Services (part of
Office 365)
Hotmail
SSAE-16
U.S.-EU Safe Harbor
European Union Model Clauses
(EUMC)
Health Insurance Portability and Accountability Act
Business Associate Agreement (HIPAA BAA)
Data Processing Agreement (DPA)Active Directory
Microsoft Security Response Center (MSRC)
Global Foundation
Services (GFS)
ISO 27001 Certification
Microsoft Security
Essentials
1st Microsoft
Data Center
Trustworthy Computing
Initiative (TwC)
Microsoft Security Engineering Center -
Security Development Lifecycle (SDL)
Microsoft experience and credentials
Xbox Live
MSN
Bill Gates Memo
Windows Azure
FISMAWindows Update
Malware Protection
Center
SAS-70
Microsoft Online
Services (MOS)
One of the world’s largest cloud providers & datacenter/network operators
CJIS Security Policy
Agreement
2005 2010 2013
Bing/MSN Search
1989 1995 2000
Outlook.com
Principles of Trust for Office 365
It’s your dataYou own it, you control it
We run the service for youWe are accountable to you
Transparent service operation
Privacy by design
ContinuousCompliance
Built inSecurity
Independent verification
Third party validation
Regulatory compliance
Confidence in the results
ComplianceWe support industry standards and organizational compliance
Built-in capabilities for global compliance
Enable customers to meet global compliance standards in ISO 27001, EUMC, HIPAA, FISMA
Contractually commit to privacy, security and handling of customer data
Customer controls for compliance with internal
policies
Admin Controls like Data Loss Prevention, Archiving, E-Discovery to enable organizational compliance
How does Office 365 meet Compliance…
Physical Security
Security Best Practices
Secure Network Layer
Data Encryption
Office 365 Services | Master Control Set | Standards
DLP
OME
SMIME
RBAC
RMS
New Cert’s and
more…
Account Mgmt.
Incident Monitoring
Data Encryption
Encryption of stored data and
more…
Data Minimization & Retention
Access Control
Office 365 has over 900
controls today!
Service Capabilities
Customer Controls
Control Set
• Based on NIST Special Publication 800-53
• Internationally recognized security and privacy controls
• Specific and adaptable
Example:
Control Set
• NIST provides a mapping to ISO27001
• We map other standards like SOC 1, SOC 2 and EU Model
Clauses
How the example control appears in our Control Set
Control set absorbs regulatory complexity
Standards & Certifications
SSAE/SOCISO27001
EUMCFERPA
FISMA/FedRAMPHIPAA
HITECHITAR
HMG IL2CJIS
IRS 1075Article 29
SOC 2
GlobalGlobalEurope
U.S.U.S.U.S.U.S.U.S.UKU.S.US
Europe
Global
FinanceGlobal
Europe Education
Government Healthcare Healthcare
DefenseGovernment
Law EnforcementGovernment
Europe
Global
Standards Certificatio
nsMarket Region
Working on ISO 27018
Ever Evolving Approach to Compliance
Market & Competitive Intelligence
Compliance Manageme
nt Framework
Regulatory Impact
Analysis (RSIA)
Define Security,
and Privacy controls
Determine Implementatio
n Requirements
Implement Controls
Document Implementati
on
Continuous Monitoring
Independent
verification (Audits)
Remediation Prioritize
Independent Testing
How Office 365 Controls Meet Compliance
Physical Security
Security Best Practices
Secure Network Layer
Data Encryption
DLP
OME
SMIME
RBAC
RMS
New Cert’s and
more…
Account Mgmt.
Incident Monitoring
Data Encryption
Encryption of stored data and
more…
Data Minimization & Retention
Access Control
Audits
Office 365 has over 900
controls Today!
Service Capabilities
Customer Controls
Office 365 Services | Master Control Set | Standards
Control Effectiveness Assessment (Audit) Schedule
Nov2014
Dec 2015
Jan 2015
Feb 2015
Mar 2015
Apr 2015
May 2015
Jun 2015
Jul 2015
Aug 2015
Sep 2015
Oct 201
5
Nov 2015
ISO FedRAMP MT ISAE3402/SOC
ITAR ISO
Control Effectiveness Assessment (Audit) Schedule
Nov2014
Dec 2015
Jan 2015
Feb 201
5
Mar 2015
Apr 2015
May 2015
Jun 2015
Jul 2015
Aug 2015
Sep 2015
Oct 2015
Nov 2015
ISO FedRAMP MT
ISAE3402/SOC
ISO
Audit cadenceWe audit control effectiveness using 3rd party independent auditors.
Third-Party Auditors
For ISO 27001 audits, Microsoft uses BSI. For ISAE3402/SOC audits, Microsoft uses Deloitte LLP.
For other audits, Microsoft uses SecureInfo and Veris Group.
We use well known or government certified auditors
ISO Audit report – sample
Audit Reports
Right to Examine
Customers can request a copy
of the latest audit reports
Compliance Program
Benefits of Compliance
Controls, compliance, and audits exist to help mitigate risk. Organizations face risk constantly: competitors, external events, and bad actors.
What can you do about a risk? Mitigate, transfer, accept, and avoid.
With Office 365, a number of risks can be mitigated by Microsoft.
Risk Management
Risk Management framework
Part of the responsibility for the secure management of the service lies with each customer.
Managing RiskOffice 365 supports a high degree of customer configuration
• Account Management• Access control• Segregation of duties• Awareness and training• Support requests• Use flexible customer controls in Office 365
Customers must put the following controls in place to ensure the security of their data
Summary
1
4
3
2
Comprehensive controls
Engineering investments
Extensive experience in Enterprise software
Privacy core component of Microsoft’s DNA
Compliance customer controls
Compliance controls
Archiving
Data Retention
& Lifecycle
eDiscovery
Auditing
Data Loss
Prevention
Overview of Security and Compliance controls in Office 365 - http://aka.ms/customercontrols
Data Loss PreventionHelps to
Identify monitor protect
Sensitive data through deep content analysis
Identify
Protect
Monitor
End user education
ALERT
CLASSIFY
ENCRYPT
APPEND OVERRIDE
REVIEW
REDIRECT
BLOCK
Flexible tools for policy enforcement that provide the right level of control
Transport RulesRights ManagementData Loss Prevention
DLP Policy Enforcement
Data Loss Prevention (DLP)
Prevents Sensitive Data From Leaving Organization
Provides an Alert when data such as Social Security & Credit Card Number is emailed.
Alerts can be customized by Admin to catch Intellectual Property from being emailed out.
Empower users to manage their compliance• Contextual policy education• Doesn’t disrupt user workflow• Works even when disconnected• Configurable and customizable• Admin customizable text and actions• Built-in templates based on common
regulations • Import DLP policy templates from security
partners or build your own
Protect sensitive documents from being accidently
shared outside your organization
No coding required; simply upload sample documents
to create fingerprints
Scan email and attachments to look for
patterns that match document templates
DLP document fingerprinting
Email archiving and retention
Preserve Search
Secondary mailbox with separate quota
Managed through EAC or PowerShell
Available on-premises, online, or through EOA
Automated and time-based criteria
Set policies at item or folder level
Expiration date shown in email message
Capture deleted and edited email messages
Time-Based In-Place Hold
Granular Query-Based In-Place Hold
Optional notification
Web-based eDiscovery Center and multi-mailbox search
Search primary, In-Place Archive, and recoverable items
Delegate through roles-based administration
De-duplication after discovery
Auditing to ensure controls are met
In-Place Archive Governance Hold eDiscovery
Privacy
EU Data Protection Authorities validate Microsoft’s approach to privacyArticle 29 Working Party - collection of
data protection authorities in Europe regulating world’s toughest privacy laws
Validation by EU Data Protection Authorities for Microsoft’s commercial commitments for DPA/EU Model Clauses. (covering Office 365, Azure, CRM Online, and Intune)
• Microsoft is the only provider to have received this validation• Standard part of contracts as of July 1st
http://www.tgdaily.com/enterprise/100136-microsoft-gains-eu-security-approval
Why Model Clauses Matter
History of Privacy in Europe
Microsoft was the first major CSP to offer EUMC
Set standards for data protection
Subprocessors
PrivacyPrivacy by design means that we do not use your information for
anything other than providing you services
No Advertising Transparency Privacy controls
No advertising products out of Customer Data
No scanning of email or documents to build analytics or mine data
Various customer controls at admin and user level to enable or regulate sharing
If the customer decides to leave the service, they get to take to take their data and delete it in the service
Access to information about geographical location of data, who has access and when
Notification to customers about changes in security, privacy and audit information
On government snooping…
To be clear, here’s what we do, and what we
don’t do:
We don’t provide any government with direct, unfettered access to
your data.
We don’t assist any government’s efforts to break our encryption or
provide any government with encryption keys.
We don’t engineer back doors into our products and we take steps to
ensure governments can independently verify this.
If as reports suggest there is a bigger surveillance program we aren’t
involved
Transparency
Microsoft notifies you of changes in data center locations and any changes to compliance.
Core Customer Data accessed only for troubleshooting and malware prevention purposes Core Customer Data access limited to key personnel on an exception basis.
How to get notified?
Who has access to your data?
Data Maps and Geographic boundary information provided
Where is Data Stored?
We have a high bar for privacy practices that support global standards for data handling and transfer
Data Centers and Data location
1+ million servers 100+ datacenters
Privacy of your dataWe use customer data for just what they pay us for - to maintain and provide Office 365 Service
Microsoft Online Services Customer Data1 Usage Data Account andAddress Book Data
Customer Data (excluding Core Customer data)
CoreCustomer Data
Operating and Troubleshooting the Service Yes Yes Yes Yes
Security, Spam and Malware Prevention Yes Yes Yes Yes
Improving the Purchased Service, Analytics Yes Yes Yes No
Personalization, User Profile, Promotions No Yes No No
Communications (Tips, Advice, Surveys, Promotions) No No/Yes No No
Voluntary Disclosure to Law Enforcement No No No No
Advertising5 No No No NoUsage Data Address Book Data Customer Data (excluding Core Customer Data*) Core Customer Data
Operations Response Team (limited to key personnel only)
Yes. Yes, as needed. Yes, as needed. Yes, by exception.
Support Organization Yes, only as required in response to Support Inquiry.
Yes, only as required in response to Support Inquiry.
Yes, only as required in response to Support Inquiry.
No.
Engineering Yes.No Direct Access. May Be Transferred During Trouble-shooting.
No Direct Access. May Be Transferred During Trouble-shooting.
No.
PartnersWith customer permission. See Partner for more information.
With customer permission. See Partner for more information.
With customer permission. See Partner for more information.
With customer permission. See Partner for more information.
Others in Microsoft No.No (Yes for Office 365 for small business Customers for marketing purposes).
No. No.
Customer dashboard for compliance
Access to O365 compliance controls
View customer-relevant reports – ISO, SOC Audit reports Notifications about updates, regulatory changes, etc.
Vision for transparency in Compliance
Summary
Earning Trust
Independent Testing
Compliance Benefits
Customer controls
Privacy
Summary
Trust Center• Answer key
questions of Security Compliance Officers
• Dynamic engaging content that is refreshed every two weeks
END OF DECK
Technical Network
Join the conversation!Share tips and best
practices with other Office 365 expertshttp://aka.ms/o365technetwork
Resources
Learning
Microsoft Certification & Training Resources
www.microsoft.com/learning
TechNet
Resources for IT Professionals
http://microsoft.com/technet
Sessions on Demand
http://channel9.msdn.com/Events/TechEd
Developer Network
http://developer.microsoft.com
Please Complete An Evaluation FormYour input is important!TechEd Schedule Builder CommNet station or PC
TechEd Mobile appPhone or Tablet
QR code
Evaluate this session
Managing Office 365 Identities and Services
5
Office 365
Deploying Office 365 Services
Classroomtraining
Exams
+
Introduction to Office 365
Managing Office 365 Identities and Requirements
FLC
40041
Onlinetraining
Managing Office 365 Identities and ServicesOffice 365 Fundamentals
http://bit.ly/O365-Cert
http://bit.ly/O365-MVA
http://bit.ly/O365-Training
Get certified for 1/2 the price at TechEd Europe 2014!http://bit.ly/TechEd-CertDeal
MOC
20346 Designing for Office
365 Infrastructure
MOC
10968
3
EXAM
346EXAM
347
MVA MVA
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.